head	1.2;
access;
symbols
	pkgsrc-2013Q2:1.2.0.4
	pkgsrc-2013Q2-base:1.2
	pkgsrc-2012Q4:1.2.0.2
	pkgsrc-2012Q4-base:1.2
	pkgsrc-2012Q1:1.1.0.4
	pkgsrc-2012Q1-base:1.1
	pkgsrc-2011Q4:1.1.0.2;
locks; strict;
comment	@# @;


1.2
date	2012.04.14.11.22.07;	author obache;	state dead;
branches;
next	1.1;

1.1
date	2012.02.15.16.08.26;	author drochner;	state Exp;
branches
	1.1.2.1;
next	;

1.1.2.1
date	2012.02.15.16.08.26;	author tron;	state dead;
branches;
next	1.1.2.2;

1.1.2.2
date	2012.02.18.23.35.28;	author tron;	state Exp;
branches;
next	;


desc
@@


1.2
log
@Update python31 to 3.1.5.
(CVE-2012-0845 is already fixed in pkgsrc)

What's New in Python 3.1.5?
===========================

*Release date: 2012-04-08*

Core and Builtins
-----------------

- Issue #13703: oCERT-2011-003: add -R command-line option and PYTHONHASHSEED
  environment variable, to provide an opt-in way to protect against denial of
  service attacks due to hash collisions within the dict and set types.  Patch
  by David Malcolm, based on work by Victor Stinner.

Library
-------

- Issue #14234: CVE-2012-0876: Randomize hashes of xml attributes in the hash
  table internal to the pyexpat module's copy of the expat library to avoid a
  denial of service due to hash collisions.  Patch by David Malcolm with some
  modifications by the expat project.

- Issue #14001: CVE-2012-0845: xmlrpc: Fix an endless loop in
  SimpleXMLRPCServer upon malformed POST request.

- Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC
  IV attack countermeasure.

- Issue #11603: Fix a crash when __str__ is rebound as __repr__.  Patch by
  Andreas Stührk.
@
text
@$NetBSD: patch-CVE-2012-0845,v 1.1 2012/02/15 16:08:26 drochner Exp $

see python bug #14001

--- Lib/xmlrpc/server.py.orig	2011-06-11 15:48:51.000000000 +0000
+++ Lib/xmlrpc/server.py
@@@@ -449,7 +449,10 @@@@ class SimpleXMLRPCRequestHandler(BaseHTT
             L = []
             while size_remaining:
                 chunk_size = min(size_remaining, max_chunk_size)
-                L.append(self.rfile.read(chunk_size))
+                chunk = self.rfile.read(chunk_size)
+                if not chunk:
+                    break
+                L.append(chunk)
                 size_remaining -= len(L[-1])
             data = b''.join(L)
 
@


1.1
log
@apply fix for CVE-2012-0845 to other Python versions too
(2.4 is not affected)
@
text
@d1 1
a1 1
$NetBSD$
@


1.1.2.1
log
@file patch-CVE-2012-0845 was added on branch pkgsrc-2011Q4 on 2012-02-18 23:35:28 +0000
@
text
@d1 18
@


1.1.2.2
log
@Pullup ticket #3685 - requested by drochner
lang/python25: security patch
lang/python26: security patch
lang/python27: security patch
lang/python31: security patch

Revisions pulled up:
- lang/python25/Makefile                                        1.37 via patch
- lang/python25/distinfo                                        1.22
- lang/python25/patches/patch-CVE-2012-0845                     1.1
- lang/python26/Makefile                                        1.45 via patch
- lang/python26/distinfo                                        1.43
- lang/python26/patches/patch-CVE-2012-0845                     1.1
- lang/python27/Makefile                                        1.11 via patch
- lang/python27/distinfo                                        1.15
- lang/python27/patches/patch-CVE-2012-0845                     1.1
- lang/python31/Makefile                                        1.6 via patch
- lang/python31/distinfo                                        1.8
- lang/python31/patches/patch-CVE-2012-0845                     1.1

---
   Module Name:    pkgsrc
   Committed By:   drochner
   Date:           Wed Feb 15 12:21:41 UTC 2012

   Modified Files:
           pkgsrc/lang/python26: Makefile distinfo
   Added Files:
           pkgsrc/lang/python26/patches: patch-CVE-2012-0845

   Log Message:
   add patch from Python issue#14001 to fix xmlrpc server endless loop
   by malformed request
   bump PKGREV

---
   Module Name:    pkgsrc
   Committed By:   drochner
   Date:           Wed Feb 15 16:08:26 UTC 2012

   Modified Files:
           pkgsrc/lang/python25: Makefile distinfo
           pkgsrc/lang/python27: Makefile distinfo
           pkgsrc/lang/python31: Makefile distinfo
   Added Files:
           pkgsrc/lang/python25/patches: patch-CVE-2012-0845
           pkgsrc/lang/python27/patches: patch-CVE-2012-0845
           pkgsrc/lang/python31/patches: patch-CVE-2012-0845

   Log Message:
   apply fix for CVE-2012-0845 to other Python versions too
   (2.4 is not affected)
@
text
@a0 18
$NetBSD$

see python bug #14001

--- Lib/xmlrpc/server.py.orig	2011-06-11 15:48:51.000000000 +0000
+++ Lib/xmlrpc/server.py
@@@@ -449,7 +449,10 @@@@ class SimpleXMLRPCRequestHandler(BaseHTT
             L = []
             while size_remaining:
                 chunk_size = min(size_remaining, max_chunk_size)
-                L.append(self.rfile.read(chunk_size))
+                chunk = self.rfile.read(chunk_size)
+                if not chunk:
+                    break
+                L.append(chunk)
                 size_remaining -= len(L[-1])
             data = b''.join(L)
 
@